Develop servlet filters for form login processing

 

Overview

You can control the look and feel of the login screen using the form-based login mechanism. In form-based login, you specify a login page that is used to retrieve the user ID and password information. You also can specify an error page that displays when authentication fails.

If additional authentication or additional processing is required before and after authentication, servlet filters are an option. Servlet filters can dynamically intercept requests and responses to transform or use the information contained in the requests or responses. One or more servlet filters can attach to a servlet or a group of servlets. Servlet filters also can attach to JSP files and HTML pages. All the attached servlet filters are called before the servlet is invoked.

Both form-based login and servlet filters are supported by any servlet version 2.3 specification complaint Web container. The form login servlet performs the authentication and servlet filters perform additional authentication, auditing, or logging information.

To perform pre-login and post-login actions using servlet filters, configure these filters for either form login page support or for the /j_security_check URL. The j_security_check is posted by a form login page with the j_username parameter containing the user name and the j_password parameter containing the password. A servlet filter can use the user name parameter and password information to perform more authentication or other special needs.

1. A servlet filter implements the javax.servlet.Filter class. There are three methods in the filter class that need implementing:

   • init(javax.servlet.FilterConfig cfg). This method is called by the container exactly once when the servlet filter is placed into service. The FilterConfig passed to this method contains the init-parameters of the servlet filter. Specify the init-parameters for a servlet filter during configuration using the assembly tool.

   • destroy(). This method is called by the container when the servlet filter is taken out of a service.

   • doFilter(ServletRequest req, ServletResponse res, FilterChain chain). This method is called by the container for every servlet request that maps to this filter before invoking the servlet. FilterChain passed to this method can be used to invoke the next filter in the chain of filters. The original requested servlet executes when the last filter in the chain calls the chain.doFilter() method. Therefore, all filters should call the chain.doFilter() method for the original servlet to execute after filtering. If an additional authentication check is implemented in the filter code and results in failure, the original servlet does not be execute. The chain.doFilter() method is not called and can be redirected to some other error page.
   If a servlet maps to many servlet filters, servlet filters are called in the order that is listed in the deployment descriptor of the application (web.xml).

   An example of a servlet filter follows: This login filter can map to /j_security_check to perform pre-login and post-login actions.

   import javax.servlet.*;
   
        public class LoginFilter implements Filter {
   
        protected FilterConfig filterConfig;
   
        // Called once when this filter is instantiated. 
        // If mapped to j_security_check, called 
        // very first time j_security_check is invoked.
        public void init(FilterConfig filterConfig) throws ServletException {
           this.filterConfig = filterConfig;
           }
   
        public void destroy() {
           this.filterConfig = null;
           }
                                        
        // Called for every request that is mapped to this filter. 
        // If mapped to j_security_check, 
        // called for every  j_security_check action
        public void doFilter(ServletRequest request, 
        ServletResponse response, FilterChain chain) 
            throws java.io.IOException, ServletException   {
   
            // perform pre-login action here
   
            chain.doFilter(request, response);  
            // calls the next filter in chain.  
   
            // j_security_check if this filter is 
   
            // mapped to j_security_check.
   
           // perform post-login action here.
   
                    }              
          }

   Place the servlet filter class file in the WEB-INF/classes directory of the application.

 

Configuring servlet filters

 

Overview

WebSphere Application Development Studio or the Assembly Toolkit can configure the servlet filters.

There are two steps in configuring a servlet filter.

1. Name the servlet filter and assign the corresponding implementation class to the servlet filter.

   Optionally, assign initialization parameters that get passed to the init() method of the servlet filter.

   After configuring the servlet filter, the application deployment descriptor, web.xml, contains a servlet filter configuration similar to the following example:

   <filter id="Filter_1">
   			<filter-name>LoginFilter</filter-name>
   			<filter-class>LoginFilter</filter-class>
   			<description>Performs pre-login and post-login 
           operation</description>
   			<init-param>// optional
   					<param-name>ParameterName</param-name>
   					<param-value>ParameterValue</param-value>
   			</init-param>
   </filter>

2. Map the servlet filter to URL or servlet.

   After mapping the servlet filter to a servlet or a URL, the application deployment descriptor (web.xml) contains servlet mapping similar to the following example:

   <filter-mapping>
   			<filter-name>LoginFilter</filter-name>
   			<url-pattern>/j_security_check</url-pattern> 
                  // can be servlet <servlet>servletName</servlet>
   </filter-mapping>
   			

 

Example

---

Developing form login pages
Securing Web applications using the Assembly Toolkit
    

 

---